Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Valid
Reported on
Nov 1st 2021
Description
Attacker is able to logout a user if a logged in user visits attacker website.
Impact
This vulnerability is capable of forging user to unintentional logout.
Test
Tested on Edge, firefox, chrome and safari.
Fix
You should use POST instead of GET/ANY.
To expand:
One way GET/ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a @csrf token.
Note
While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.
Occurrences
We have contacted a member of the
firefly-iii
team and are waiting to hear back
2 years ago
web.php#L84
has been validated
to join this conversation